Assets Server security features overview

This article describes the security features for Assets Server. Use it as a quick reference to find out if any of the issues affect your Assets Server environment.

Important: The default configuration settings of Assets Server are aimed to keep the system as secure as possible. Change these settings with care and at your own risk.

Security configuration overview

The following is an overview of the security configuration of Assets Server.

Data changing APIs only accept POST requests

Because of improved security measures in the REST API of Assets Server, all data changing APIs only accept POST requests, not GET requests. Also, the POST request needs to include a cross-site request forgery (csrf) token.

The csrf token is a unique code which, by including it in the request, also makes the POST request unique and therefore much more secure.

The csrf token is obtained by first logging in to Assets Server through a POST request. The response that is received will include the csrf token which can then be used in subsequent POST requests as a http header:

Cross-origin protection

AJAX calls to Elvis Server are blocked by Web browsers if the Web page that is making the call is not on one of the configured domains. By default, only the server domain is allowed.

Example: If Elvis server is running on http://elvis.yourdomain.com and you want to perform a cross-domain REST search from a Web page hosted on http://www.yourdomain.com, the Web browser will not perform the request.

Note: The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from a different origin. (See mozilla.org: Same-origin policy.)

X-Frame-Options. The X-Frame-Options HTTP response header can be used to indicate whether or not a Web browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites. It is mainly used for older Web browsers.

Previews of Web pages (files in .html format) that are stored in Assets Server are disabled by default.

Note: Previews of Microsoft Office documents are still shown despite being in HTML format.

Previews for these files can be enabled by setting the option named 'security.enableHtmlPreviews' to 'true'.

security.enableHtmlPreviews=true

This option works together with the option 'security.sandboxPreviews' (see above): if 'security.enableHtmlPreviews' is enabled, the HTML previews are still secured if 'security.sandboxPreviews' is also enabled. However, not all Web browsers support this.

Log-in blocking

The number of times that a user can attempt to log in is limited.

When incorrect credentials are entered a few times, logging in through the user’s IP address will be blocked for a short period of time.

Various options for this feature can be configured, see the 'log-in throttling' options below.

Security options that may affect your Assets Server setup

The following lists some of the security issues that may affect your Assets Server environment.

Limited functionality for HTML pages loaded outside the Web client

HTML pages that are stored in Assets Server will have limited functionality when they are loaded outside the Web client for use in banners, forms or other objects that depend on JavaScript or external sources. This is because of the Content Security Policy headers which limit what the object is allowed to do. (See HTML previews above.)

Web client prevented from loading in a frame or iframe

If your Assets Server installation is used in combination with a solution that loads the Web client in a frame or iframe, the anti-clickjacking headers will prevent the Web client from being loaded, thereby breaking the integration. (See HTML previews above.)

No preview for Word files and Web pages when Web client is served from a different domain than Assets Server

If your Web client is served from a different domain than Assets Server, the anti-clickjacking headers will prevent previews for Word files (in .doc format) and Web pages (in .html format). (See Anti-clickjacking headers above.)

When Assets Server is running behind a load balancer, the IP address of the remote host of a request may be retrieved from the request header X-Forwarded-For by setting the option named 'security.runningBehindLoadBalancer' to 'true'.

security.runningBehindLoadBalancer=true

Caution: Beware that enabling this option when Assets Server is not running behind a load balancer allows an attacker to circumvent the IP-based log-in throttling by "faking" his IP using the header. (See the option 'security.loginThrottle.maxFailedIpAttempts' below.)

The number of log-in attempts for a combination of IP address and user name that are allowed before log-in throttling takes place can be set through the option named 'security.loginThrottle.maxFailedUsernameAttempts'.

This is separate from IP-based blocks and is generally set lower than the option 'maxFailedIpAttempts' to make sure that when users share the same IP address, the failed attempt of one user does not affect all other users.

When the log-in attempts of a user have failed (defined through the options named 'maxFailedUsernameAttempts' or 'maxFailedIpAttempts'), the minimum time that a user has to wait (in seconds) is set through the option named 'security.loginThrottle.minWaitTimeSeconds'.

The blocked time increases when more failed attempts occur, up to the maximum number of seconds set through the option named 'security.loginThrottle.maxWaitTimeSeconds'.

When the log-in attempts of a user have failed (defined through the options named 'maxFailedUsernameAttempts' or 'maxFailedIpAttempts'), the maximum time that a user has to wait (in seconds) is set through the option named 'security.loginThrottle.maxWaitTimeSeconds'.

When log-in throttling is enabled through the option named 'security.loginThrottle.maxFailedIpAttempts', any trusted IP addresses that should never be blocked can be white-listed by using the option named 'security.loginThrottle.ipWhiteList'.

Use this for example to exclude the Studio Server IP address where many different user requests come from the same source.

security.loginThrottle.ipWhiteList=0:0:0:0:0:0:0:1

Note: Separate users on this IP may still be blocked when the option 'security.loginThrottle.maxFailedUsernameAttempts' is exceeded.

Assets Server can be configured to issue HTTPS-only session cookies by adding the 'Secure' directive to these cookies.

Cookies with the 'Secure' directive are only sent by Web browsers when they connect to the server over HTTPS. This prevents the session cookie from being exposed over an unencrypted channel when for example a user's Web browser is (un)intentionally directed to HTTP instead of HTTPS.

session.cookie.secure=auto

Possible values:

enabled

disabled

auto. Default setting. Is enabled if HTTP is disabled through the 'httpEnabled' setting, else it is disabled.

Note: When a HTTPS terminating proxy or load balancer is used in front of Assets Server and the connection between them is HTTP, set the option to 'enabled'.